From 5577686ee8b71bc72c568c64b193494da8b87672 Mon Sep 17 00:00:00 2001 From: Emmanuelle Vargas-Gonzalez Date: Fri, 6 Oct 2017 15:09:14 -0400 Subject: [PATCH] Add new STIX2.1 SDOs and additional properties --- stix2/__init__.py | 5 +- stix2/common.py | 10 +++- stix2/core.py | 7 ++- stix2/sdo.py | 118 ++++++++++++++++++++++++++++++++++++++++++++-- stix2/sro.py | 5 ++ 5 files changed, 137 insertions(+), 8 deletions(-) diff --git a/stix2/__init__.py b/stix2/__init__.py index 53c2fb1..9361ad9 100644 --- a/stix2/__init__.py +++ b/stix2/__init__.py @@ -42,8 +42,9 @@ from .patterns import (AndBooleanExpression, AndObservationExpression, StartStopQualifier, StringConstant, TimestampConstant, WithinQualifier) from .sdo import (AttackPattern, Campaign, CourseOfAction, CustomObject, - Identity, Indicator, IntrusionSet, Malware, ObservedData, - Report, ThreatActor, Tool, Vulnerability) + Identity, Indicator, IntrusionSet, Location, Malware, Note, + ObservedData, Opinion, Report, ThreatActor, Tool, + Vulnerability) from .sources import CompositeDataSource from .sources.filesystem import (FileSystemSink, FileSystemSource, FileSystemStore) diff --git a/stix2/common.py b/stix2/common.py index d7994c6..8037657 100644 --- a/stix2/common.py +++ b/stix2/common.py @@ -11,6 +11,7 @@ from .utils import NOW, get_dict class ExternalReference(_STIXBase): + _properties = OrderedDict() _properties.update([ ('source_name', StringProperty(required=True)), @@ -26,6 +27,7 @@ class ExternalReference(_STIXBase): class KillChainPhase(_STIXBase): + _properties = OrderedDict() _properties.update([ ('kill_chain_name', StringProperty(required=True)), @@ -34,6 +36,7 @@ class KillChainPhase(_STIXBase): class GranularMarking(_STIXBase): + _properties = OrderedDict() _properties.update([ ('marking_ref', ReferenceProperty(required=True, type="marking-definition")), @@ -42,7 +45,7 @@ class GranularMarking(_STIXBase): class TLPMarking(_STIXBase): - # TODO: don't allow the creation of any other TLPMarkings than the ones below + _type = 'tlp' _properties = OrderedDict() _properties.update([ @@ -51,6 +54,7 @@ class TLPMarking(_STIXBase): class StatementMarking(_STIXBase): + _type = 'statement' _properties = OrderedDict() _properties.update([ @@ -78,6 +82,7 @@ class MarkingProperty(Property): class MarkingDefinition(_STIXBase, MarkingsMixin): + _type = 'marking-definition' _properties = OrderedDict() _properties.update([ @@ -137,6 +142,7 @@ def CustomMarking(type='x-custom-marking', properties=None): def custom_builder(cls): class _Custom(cls, _STIXBase): + _type = type _properties = OrderedDict() @@ -155,6 +161,8 @@ def CustomMarking(type='x-custom-marking', properties=None): return custom_builder +# TODO: don't allow the creation of any other TLPMarkings than the ones below + TLP_WHITE = MarkingDefinition( id="marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", created="2017-01-20T00:00:00.000Z", diff --git a/stix2/core.py b/stix2/core.py index 0271e34..38c9f48 100644 --- a/stix2/core.py +++ b/stix2/core.py @@ -7,8 +7,8 @@ from .base import _STIXBase from .common import MarkingDefinition from .properties import IDProperty, ListProperty, Property, TypeProperty from .sdo import (AttackPattern, Campaign, CourseOfAction, Identity, Indicator, - IntrusionSet, Malware, ObservedData, Report, ThreatActor, - Tool, Vulnerability) + IntrusionSet, Location, Malware, Note, ObservedData, Opinion, + Report, ThreatActor, Tool, Vulnerability) from .sro import Relationship, Sighting from .utils import get_dict @@ -59,9 +59,12 @@ OBJ_MAP = { 'identity': Identity, 'indicator': Indicator, 'intrusion-set': IntrusionSet, + 'location': Location, 'malware': Malware, + 'note': Note, 'marking-definition': MarkingDefinition, 'observed-data': ObservedData, + 'opinion': Opinion, 'report': Report, 'relationship': Relationship, 'threat-actor': ThreatActor, diff --git a/stix2/sdo.py b/stix2/sdo.py index 4664d99..5710426 100644 --- a/stix2/sdo.py +++ b/stix2/sdo.py @@ -8,9 +8,10 @@ from .base import _STIXBase from .common import ExternalReference, GranularMarking, KillChainPhase from .markings import MarkingsMixin from .observables import ObservableProperty -from .properties import (BooleanProperty, IDProperty, IntegerProperty, - ListProperty, PatternProperty, ReferenceProperty, - StringProperty, TimestampProperty, TypeProperty) +from .properties import (BooleanProperty, EnumProperty, FloatProperty, + IDProperty, IntegerProperty, ListProperty, + PatternProperty, ReferenceProperty, StringProperty, + TimestampProperty, TypeProperty) from .utils import NOW @@ -33,6 +34,8 @@ class AttackPattern(STIXDomainObject): ('kill_chain_phases', ListProperty(KillChainPhase)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -57,6 +60,8 @@ class Campaign(STIXDomainObject): ('objective', StringProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -77,6 +82,8 @@ class CourseOfAction(STIXDomainObject): ('description', StringProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -100,6 +107,8 @@ class Identity(STIXDomainObject): ('contact_information', StringProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -124,6 +133,8 @@ class Indicator(STIXDomainObject): ('kill_chain_phases', ListProperty(KillChainPhase)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty, required=True)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -151,6 +162,38 @@ class IntrusionSet(STIXDomainObject): ('secondary_motivations', ListProperty(StringProperty)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), + ('external_references', ListProperty(ExternalReference)), + ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), + ('granular_markings', ListProperty(GranularMarking)), + ]) + + +class Location(STIXDomainObject): + + _type = 'location' + _properties = OrderedDict() + _properties.update([ + ('type', TypeProperty(_type)), + ('id', IDProperty(_type)), + ('created_by_ref', ReferenceProperty(type="identity")), + ('created', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('description', StringProperty()), + ('latitude', FloatProperty()), + ('longitude', FloatProperty()), + ('precision', FloatProperty()), + ('region', StringProperty()), + ('country', StringProperty()), + ('administrative_area', StringProperty()), + ('city', StringProperty()), + ('street_address', StringProperty()), + ('postal_code', StringProperty()), + ('revoked', BooleanProperty()), + ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -172,6 +215,32 @@ class Malware(STIXDomainObject): ('kill_chain_phases', ListProperty(KillChainPhase)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty, required=True)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), + ('external_references', ListProperty(ExternalReference)), + ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), + ('granular_markings', ListProperty(GranularMarking)), + ]) + + +class Note(STIXDomainObject): + + _type = 'note' + _properties = OrderedDict() + _properties.update([ + ('type', TypeProperty(_type)), + ('id', IDProperty(_type)), + ('created_by_ref', ReferenceProperty(type="identity")), + ('created', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('summary', StringProperty()), + ('description', StringProperty(required=True)), + ('authors', ListProperty(StringProperty)), + ('object_refs', ListProperty(ReferenceProperty, required=True)), + ('revoked', BooleanProperty()), + ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -194,6 +263,38 @@ class ObservedData(STIXDomainObject): ('objects', ObservableProperty(required=True)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), + ('external_references', ListProperty(ExternalReference)), + ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), + ('granular_markings', ListProperty(GranularMarking)), + ]) + + +class Opinion(STIXDomainObject): + + _type = 'opinion' + _properties = OrderedDict() + _properties.update([ + ('type', TypeProperty(_type)), + ('id', IDProperty(_type)), + ('created_by_ref', ReferenceProperty(type="identity")), + ('created', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('modified', TimestampProperty(default=lambda: NOW, precision='millisecond')), + ('description', StringProperty), + ('authors', ListProperty(StringProperty)), + ('object_refs', ListProperty(ReferenceProperty, required=True)), + ('opinion', EnumProperty(allowed=[ + 'strongly-disagree', + 'disagree', + 'neutral', + 'agree', + 'strongly-agree' + ], required=True)), + ('revoked', BooleanProperty()), + ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -216,6 +317,8 @@ class Report(STIXDomainObject): ('object_refs', ListProperty(ReferenceProperty, required=True)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty, required=True)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -244,6 +347,8 @@ class ThreatActor(STIXDomainObject): ('personal_motivations', ListProperty(StringProperty)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty, required=True)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -266,6 +371,8 @@ class Tool(STIXDomainObject): ('tool_version', StringProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty, required=True)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -286,6 +393,8 @@ class Vulnerability(STIXDomainObject): ('description', StringProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -322,6 +431,7 @@ def CustomObject(type='x-custom-type', properties=None): def custom_builder(cls): class _Custom(cls, STIXDomainObject): + _type = type _properties = OrderedDict() _properties.update([ @@ -341,6 +451,8 @@ def CustomObject(type='x-custom-type', properties=None): _properties.update([ ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), diff --git a/stix2/sro.py b/stix2/sro.py index 4fa0465..5e75aae 100644 --- a/stix2/sro.py +++ b/stix2/sro.py @@ -31,6 +31,8 @@ class Relationship(STIXRelationshipObject): ('target_ref', ReferenceProperty(required=True)), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)), @@ -51,6 +53,7 @@ class Relationship(STIXRelationshipObject): class Sighting(STIXRelationshipObject): + _type = 'sighting' _properties = OrderedDict() _properties.update([ @@ -68,6 +71,8 @@ class Sighting(STIXRelationshipObject): ('summary', BooleanProperty()), ('revoked', BooleanProperty()), ('labels', ListProperty(StringProperty)), + ('confidence', IntegerProperty()), + ('lang', StringProperty()), ('external_references', ListProperty(ExternalReference)), ('object_marking_refs', ListProperty(ReferenceProperty(type="marking-definition"))), ('granular_markings', ListProperty(GranularMarking)),